In brief
In April, the Information Regulator published amendments to the Protection of Personal Information Act (POPIA) Regulations, significantly enhancing privacy protections for South Africans. These changes simplify the processes for objecting to data processing, requesting corrections or deletions, and obtaining consent for direct marketing. They also introduce new responsibilities for information officers and allow for administrative fines to be paid in installments. These amendments aim to give individuals greater control over their personal information and ensure businesses comply with stricter data protection standards.
In depth
South Africa: Amendments to the POPIA regulations – Key changes you need to know
Across boardrooms and living rooms alike, South Africans are inundated daily by calls, texts and emails pitching everything from insurance to investment schemes. Growing frustrations over unwanted intrusions and mounting concerns about how personal data is harvested have put privacy protection firmly in the spotlight. In this climate, on 17 April 2025, the Information Regulator published the amended Regulations relating to the Protection of Personal Information Act, 2018 (POPIA), (Regulations) for implementation with immediate effect. These amendments mark a decisive shift towards giving individuals real control over how their information is used. They seek to tighten the controls under POPIA by broadening the ability of data subjects to exercise their rights and control in terms of POPIA.
We note some of the more notable amendments to the Regulations as follows:
| Regulation no. | Old position | New position |
| 2 – Objection to the processing of personal information | A data subject who wished to object to the processing of personal information (PI) which (i) protects a legitimate interest, (ii) is necessary for the proper performance of a public law duty or (iii) is necessary for pursuing the legitimate interests of a responsible party, must have submitted the objection to the responsible party using Form 1. | A data subject who wishes to object to the processing of their PI and to direct marketing, must submit the objection to the responsible party on a form substantially similar to Form 1, free of charge and reasonably accessible to a data subject by hand, fax, post, email, SMS, or WhatsApp and or in any manner expedient to a data subject. When collecting the PI, the responsible party has a duty to inform the data subject of their right to object to processing their PI. If an objection is made telephonically, such an objection shall be electronically recorded by the responsible party and made available to the data subject on request, for free. This new position makes it easier and provides further avenues through more modern channels for data subjects to object to their PI being processed by a responsible party. |
| 3 – Request for correction or deletion of personal information or destruction or deletion of record of personal information | A data subject who wished to request a correction, deletion or destruction of PI must have submitted a request to the responsible party using Form 2. | A data subject who wishes to request a correction, deletion or destruction of PI must submit the request to a responsible party on a form substantially similar to Form 2, free of charge and reasonably accessible to a data subject by hand, fax, post, email, SMS, WhatsApp message or in any manner expedient to a data subject. Again, this new position makes it easier and provides further avenues for data subjects to request a correction, deletion or destruction of their PI. The amendment also places a new obligation on responsible parties to notify the data subject of such correction, deletion or destruction. |
| 4 – Additional duties and responsibilities of Information Officer | An information officer must have ensured that a manual is developed, monitored, maintained and made available in terms of the Promotion of Access to Information Act, 2000 (PAIA Manual). | The obligation on information officers to prepare PAIA Manuals has been deleted. However, they must still ensure that a compliance framework is developed, implemented, monitored, maintained and continually improved. The amendment provides a welcomed alleviation of the duties of an information officer, who are often overwhelmed by the amount of disclosure to be provided. |
| 6 – Request for data subject’s consent to process personal information for direct marketing | A responsible party who wished to process PI for the purpose of direct marketing by electronic communication must have submitted a request for written consent to that data subject using Form 4. | A responsible party who wishes to process PI for the purpose of direct marketing through unsolicited electronic communication must obtain written consent from a data subject on a form substantially similar to Form 4 or any manner that may be expedient, free of charge and reasonably accessible to a data subject including fax, telephone, email, SMS, WhatsApp or automated calling machine. A request for consent telephonically or by automated calling machine must be recorded by the responsible party and made available to the data subject on request for free. For the purposes of direct marketing through unsolicited electronic communications, ‘opt-out’ shall not constitute consent. The amendment provides more ways for responsible parties to obtain a data subject’s consent, although practically most data subjects are not given the opportunity to consent and are rather requested to opt-out of direct marketing. This is still an area which requires further real-world enforcement. |
| 7 – Submission of complaint | Any person who wished to submit a complaint must have submitted such complaint to the Information Regulator using Form 5. | The following persons may lodge a complaint against a responsible party: (i) a data subject whose PI has been interfered with, (ii) any person acting on behalf of a data subject whose PI has been interfered with, (iii) any person with a sufficient personal interest in the complaint, (iv) a responsible party of data subject aggrieved by the determination of an adjudicator, or (v) any person acting in the public interest. The Form 5, and supporting documentation, can be submitted at the offices of the Regulator (by courier or post) or online on the Regulator’s website or via email. After receipt, the Regulator must provide a reference number to the complainant within 14 days of receipt. The amendment provides further clarification on the claim process, which was previously bare-boned and ambiguous. |
| 13 – Administrative fines | n/a | A responsible party served with an infringement notice by the Information Regulator for committing an office in terms of POPIA and who is unable to pay the administrative fine in a lump sum, may make arrangements with the Information Regulator to pay the administrative fine in instalments on a case-by-case basis. When determining an appropriate payment period, the Information Regulator must consider the financial circumstances of the responsible party, and any other relevant compelling reasons that may directly or indirectly impact on the responsible party’s affordability. This amendment is entirely new, and provides responsible parties an opportunity to pay off any administrative fines in instalments, thus alleviating the financial heft of administrative fines to ensure they are actually paid. |
It is also to be noted that anything done under a provision of the old Regulations and which could have been done under a provision of the new Regulations, shall be regarded as having been done under the new Regulations.
These amendments build upon intensified efforts by South African regulators to tackle data protection. Similar developments have also come from the Department of Trade, Industry and Competition which published draft amendments late last year which sought to establish the long awaited opt-out registry for direct marketing under the Consumer Protection Act Regulations, 2011. These concurrent approaches will require businesses engaged in direct marketing to apply greater scrutiny to their compliance in this market going forward.
